Antivirus software-maker Central Command issued a warning today about a newly discovered worm that masquerades as an email from Microsoft Technical Support. According to Central Command, the new worm, Win32.Invalid.A@mm, falsely claims to come from "Microsoft Support - [email protected]" with a message title that reads "Invalid SSL Certificate."
The body of the message entices users to run a file entitled, "sslpatch.exe" under the premise that the patch corrects a buffer-overflow condition in Internet Explorer (IE). Actually, sslpatch.exe is a copy of the worm that carries a destructive payload--it makes executable files unusable by encrypting them with a random encryption key. Once sslpatch.exe is active on a system, the worm tests to see if an Internet connection is active; if so, the worm parses all .HT* files in the My Documents directory to read any email addresses those files contain. The worm then sends a copy of itself to each email address it found.
Microsoft has said in the past that users should be aware that Microsoft never emails patches to use. Instead, users can find all of the company's patches only on its Web site. If you receive an email claiming to be from Microsoft that contains a patch, the email probably is a forgery, and you should consider its content as potentially dangerous.